@stephenw10 said in Fresh install: WAN goes down and 502 Bad Gateway: running that as router-on-a-stick with VLANs rather than use a USB NIC if you can. Steve thanks. long story short: it was the usb nic. AX88179 controller is a pita for pfsense

@gwaitsi well, i got to the root of the problem but don't know how to solve. If I set the GW to WAN1 or WAN2, smtp is working. If I set the GW to WAN_GW or VPN_FW it is not working. This is true whether i put the WAN1/2 hard down. So something with using the gateway group is killing my smtp on certain clients. Have no clue on how to solve, everything else seems to work.

Here's my setup. For reference, the Vigor is on it's own interface. Obviously adjust each interface for your own. Vigor 130 Lan -> General Setup 1st IP Address: 192.168.2.1 1st Subnet Mask: 255.255.255.0 DHCP Server: Disabled PFSense What is connected where: vtnet0 - connected to Vigor 130 (vtnet0 is also shown against the WAN assignment for PPPoE). You should still be able to assign vtnet0 (or whatever your PPPoE is assigned to) against another interface to access. vtnet1 - LAN Interfaces -> Assignments: vtnet0: Modem - Static IPv4 - Address 192.168.2.20/24 vtnet1: LAN - Static IPv4 - 10.0.0.1/8 Firewall -> NAT -> Outbound Interface (Modem) Protocol (Any) Source (CIDR Range, eg, 10.0.0.0/8) Destination (192.168.2.1/24) Address (Interface Address) Firewall -> Rules -> LAN Interface (LAN) Protocol (Any) Source (LAN Net) Destination (MODEM Net)

@bcruze Worked fine for me from PuTTY using the shell. pkg upgrade I don't normally use the diag console, but I think it would be fine. I was notified by email from the script in this thread. https://forum.netgate.com/topic/137707/auto-update-check-checks-for-updates-to-base-system-packages-and-sends-email-alerts/3

And magically, both Epson R3000 and WP4530 show as online now, even though I haven't used them. Strange behaviour.

@noplan thank you

@roy360 This grabs the both the ipv4 and ipv6 networks. whois -h whois.radb.net -- '-i origin AS32934' | awk '/^route6*:/ {print $2;}' Not sure what's going on with your rule. I'll mess with this this weekend. Would be nice to have something that periodically updates. Edited 2-27 to add: The web service I want to use (https://api.bgpview.io/asn/asn to look up/prefixes) is 'Service Temporarily Unavailable' so that approach will have to wait for another time. Not a good sign for reliability... I did write a quick script to drop the ipv4 and ipv6 prefixes for all three facebook ASNs using, whois -h whois.radb.net -- '-i origin ASxxxxx' | awk '/^route6*:/ {print $2;}', into /usr/local/www and then created two URL table aliases from those files (I did one for v4 and another for v6). Ran the script from a cron job and that looks to work OK. I'll revisit this sometime in the future.

@bmeeks That's what I figured! Thanks again!

@krbvroc1 if ipv6 broke please see this https://redmine.pfsense.org/issues/11365

@daddygo The picture is so clear for me now. I much appreciate your advice and time. CF PRO plan is right at a reasonable cost. I will prefer it. Thanks

@jimp said in Recover via WebGUI feature: No, that is not viable. It was more like a dream :) (On the 'ceph' project we've been taking about "downgrade" feature for a long time and still talking...) But it's a nice dream !

Thanks @maverickws . The purpose of this revamp: they wanted to use only single pair of pfSense so that it can handle the traffics for the whole subnet 172.16.0.0/21. For eg 172.16.1.0/24 for client A, 172.16.2.0/24 for client B, 172.16.3.0/24 for client C and so on. Initially there are 2 WAN as in 2 ISP, 1 for each pair of the old pfSense unit. So now will be reduce to only 1 WAN (1 ISP). I will need to create few VIP at the new pfsense as a gateway for each subnet, for eg 172.16.1.1/24 for client A, 172.16.2.1/24 for client B, and assign VLAN to each of the subnet and configure some rules so that they wont be able to communicate with each other.

@johnpoz OK thank you very much